68 Million Exposed in Old Dropbox Hack

The email addresses and passwords pertaining to a total of 68,648,009 Dropbox accounts have been compromised following a data breach in 2012.

News of the Dropbox breach emerged several months after a series of mega-breaches were made public, impacting hundreds of millions of users: LinkedIn (167 million), Myspace (360 million), Tumblr (65 million), and VK (170 million). 32 million Twitter accounts were also impacted, but the company said that the issue was password reuse, and not a hack.

The Dropbox incident took place in July 2012, but the number of affected users hasn’t been revealed until now. At the time, Dropbox said that it was investigating complaints from users who were receiving spam at email addresses used only for this service, and that several security measures were taken to ensure accounts weren’t compromised.

The root cause of this breach, Dropbox revealed at the time, was a stolen employee password: “A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses. We believe this improper access is what led to the spam. We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again.”

Last week, Dropbox started prompting password resets for the possibly affected users, while also revealing that the move is related to the 2012 incident. The company also confirmed that “email addresses plus hashed and salted passwords” were stolen during the breach, but said that it wasn’t aware of any account being improperly accessed.

With the hacked data being traded online, additional info on the breach started to emerge this week, as the dataset landed at various breach index services, including LeakedSource and Have I Been Pwned. These services have confirmed not only that the hack was real, but also the number of impacted users.

According to Troy Hunt, the man behind Have I Been Pwned, the leaked data includes salted hashes of passwords: half of them SHA1, half of them bcrypt. He notes that the relatively even distribution of the two indicates a transition from SHA1 to bcrypt. He also explains that the bcrypt passwords include the salt, but that the SHA1 don't. Without the salts, he says, they are nearly impossible to crack.

Hunt was able to confirm that the leaked data is legitimate, but says that, considering the manner in which the passwords are stored, “all but the worst possible password choices are going to remain secure even with the breach now out in the public.” However, users should still change their passwords, especially if Dropbox prompted them to do so.

“Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed. Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in,” Patrick Heim, Head of Trust & Security for Dropbox, said. Users are also advised to enable two-step verification to ensure increased security.

In an email response to a SecurityWeek inquiry, IT security expert Sorin Mustaca said that the surprising fact is that the 2012 hack of Dropbox didn’t emerge earlier, along with the other mega-breaches. He also notes that the use of the SHA1 hashing algorithm with salting improves the security of these passwords.

“Fortunately, Dropbox was using the SHA 1 hashing algorithm (today this is not considered “strong” anymore) and it was using salting even in 2012 – an operation that many other services don’t do even today. Many are using legacy systems which make use of MD5 without hashing – I guess that the ‘never change a running system’ is still applied literally in many websites,” Mustaca said.

To stay protected, he says, users should create unique passwords for each of the services they use, never reuse passwords, and enable two-factor authentication wherever it is available. Service providers should never store passwords in plain text or encrypted, but should use a strong hashing function with a solid salt.

In an emailed comment for SecurityWeek, Chris Roberts, Chief Security Architect at Acalvio, a Santa Clara, Calif. based provider of advanced threat detection and defense solutions, says that he too is surprised that the details regarding this hack have started to emerge only now.

“That's an awfully long time to wait before publicly stating that ‘we have an issue’. It's frustrating that the organization potentially knew of the problem, but didn't confirm it, as there was no credible evidence that the data was in the wild? It would be good to work out or understand why Dropbox didn't put its hand up and admit the issue back in 2012. Instead, the company waited 4 years until someone actually dropped the hacked accounts after probably harvesting who knows how much intelligence,” he says.

He too notes that people usually tend to stick to a certain number of passwords or pass phrases, which could potentially impact accounts on other services as well. “If the bad guys know it, you can be sure they have/are/will be testing all those other sites,” Roberts says.

“Changing passwords at this point is probably akin to closing the gate once the horse has bolted. Nevertheless, it's obviously something that has to happen. Then change them again...just to be sure. I would then recommend that you stick them in a good password manager…and then change that password. I’m not sure that's going to solve anything, but it's probably better than most people have or currently use,” Roberts concludes.

Steve Durbin, Managing Director of the Information Security Forum, also says that good password hygiene is critical to both users and service providers. To ensure that their data remains safe even if an account has been compromised, users should back it up offline, he also notes.

“You can outsource storage and access to a third party but you cannot outsource your responsibility for security of your data – stuff happens and when it hits, it’s the user who loses. Encryption certainly helps, but not if it isn’t the latest and greatest. Expect brute force attacks to break through. One area that consumers need to focus on is passwords. Change them regularly, mix them up, don’t share them and don’t expect them to be 100% effective. Passwords will be lost. They will be stolen. They are not perfect. However, they’re pretty close to the best we’ve got in terms of user acceptability and convenience vs. security,” Durbin says.